HIPAA Training

Telehealth expanded overnight. Did your team's HIPAA training keep up?

The pandemic normalized virtual care, but HIPAA's enforcement discretion for telehealth platforms ended. Every virtual visit, every remote worker, every telehealth platform you use must now meet full HIPAA requirements. Teams that still operate on pandemic-era guidance are at risk. If your practice offers telehealth or remote patient services, this training closes that gap.

Start 14-day free trial

HIPAA Privacy Rule (45 CFR 164) and Security Rule apply to all telehealth services. State telehealth laws add additional consent and licensure requirements.

Course Details

Duration
25 minutes
Category
HIPAA
Regulatory Authority
HIPAA / State Telehealth Laws
Format
Audio-narrated slides + knowledge check
← Course Catalog
What you'll learn
  • HIPAA requirements for virtual visit platforms
  • Business Associate Agreements for telehealth vendors
  • Patient consent requirements for telehealth
  • Remote work PHI protection (home office, VPN)
  • State telehealth laws and cross-state practice
  • Breach risks specific to virtual care delivery

Who needs this training?

Dedicated telehealth providers have the highest obligation. Most other healthcare settings that offer any virtual care - even occasional telehealth visits - should train staff on telehealth-specific HIPAA requirements.

R = Required by regulation | S = Strongly recommended (HIPAA, state telehealth laws, best practice)

Organization Type Status Authority / Notes
Telehealth Providers R HIPAA + State Telehealth Laws - telehealth is the primary care delivery channel; all staff require training on virtual visit privacy and security
Physician Practices S If your practice offers telehealth or remote patient services, staff need training on HIPAA-compliant platform selection, remote work security, and patient consent requirements.
Mental Health Practices S Mental health has the highest telehealth adoption rate post-pandemic. If your practice offers telehealth, this training addresses the specific privacy considerations of virtual therapy sessions and prescription management.
Behavioral Health / SUD S If your organization offers telehealth delivery, staff need training on both HIPAA requirements and 42 CFR Part 2 protections for SUD records in virtual settings.
Physical Therapy Clinics S If your clinic offers telehealth PT sessions, staff need to understand platform requirements, patient consent, and remote work security obligations under HIPAA.
Dental Offices S If your practice offers teledentistry or remote consultations, HIPAA telehealth requirements apply to those services. Staff need training on appropriate platform use and patient communication privacy.
Urgent Care Centers S Many urgent care chains now offer telehealth and e-visit options. If your center offers telehealth or remote patient services, staff training on virtual visit privacy is strongly recommended.
Home Health Agencies S Remote monitoring and telehealth visits are growing in home health. If your agency uses remote monitoring technology or virtual check-ins, staff need training on telehealth-specific HIPAA requirements.
Community Health Centers (FQHCs) S If your FQHC offers telehealth services, staff training covers HIPAA platform requirements and state telehealth consent laws for the communities you serve.
Pharmacies S If your pharmacy offers telepharmacy, MTM telehealth, or remote prescription counseling services, HIPAA telehealth requirements apply to those interactions.

If your practice offers telehealth or remote patient services, even occasionally, this training addresses the privacy and security gaps that standard HIPAA training does not cover. Telehealth is the fastest-growing segment of healthcare delivery - training your team now prevents the compliance gaps that follow rapid expansion.

Common questions about telehealth privacy and HIPAA

Can providers use any video platform for telehealth under HIPAA?

No. HIPAA-covered providers must use video platforms that sign a Business Associate Agreement and provide appropriate security controls for electronic PHI. Consumer platforms like FaceTime, standard Zoom (without a BAA), Skype, and Google Meet (without a Google Workspace BAA) do not meet HIPAA requirements. OCR's enforcement discretion for consumer telehealth platforms during the COVID-19 public health emergency has ended. Providers using non-compliant platforms without a BAA are at risk for enforcement action. Your telehealth vendor must both sign a BAA and implement the required technical safeguards.

Does HIPAA require patients to consent to telehealth visits?

HIPAA itself does not require telehealth-specific consent beyond general treatment consent, but many states do. State telehealth consent laws vary significantly: some require verbal consent documented in the record, others require written consent, and some specify what information must be provided (privacy measures, limitations of telehealth, emergency procedures). Organizations providing telehealth across multiple states must comply with each state's requirements. Even where not legally required, documenting patient telehealth consent is a best practice that protects both patients and providers.

How should staff protect PHI when working from home?

Remote workers accessing PHI must follow HIPAA Security Rule requirements regardless of location. Key safeguards include: using only organization-approved, encrypted devices; connecting through a VPN approved by your organization; conducting telehealth visits in a private location where conversations cannot be overheard; locking screens immediately when stepping away; never downloading PHI to personal devices; and using only organization-approved, BAA-covered communication platforms. Home Wi-Fi must use WPA2 or WPA3 encryption. Many HIPAA enforcement actions involving remote workers stem from failures on these basics.

What happens when a telehealth platform vendor has a data breach?

Telehealth platform vendors are Business Associates under HIPAA. If they have a breach, they must notify your organization promptly - and your organization remains responsible for notifying patients. Your Business Associate Agreement should specify the vendor's breach notification obligations and timeline (must be no longer than 60 days from discovery). Your organization's breach response plan must account for vendor-side incidents: you cannot delegate breach notification obligations to a BA. Understanding the BA relationship and your organization's responsibilities regardless of where a breach originates is a critical part of telehealth compliance training.

Close the telehealth compliance gap

Set up takes about 5 minutes. Start your 14-day free trial now.

Start 14-day free trial

Regulatory Disclaimer

Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific modules currently cover CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.